As with any vital area, there are several standardization bodies focused on producing information security related standards. Here are five standardization bodies all security engineers should know about:

The International Organization for Standardization (ISO)

ISO is an international standardization body composed of representatives from multiple national standards organizations. ISO is responsible for the principal information security standards series, the ISO 27000 family.

Composed of more than a dozen published standards, the 27000 family helps organizations manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.

ISO/IEC 27001 is the best-known standard in the family. It provides the requirements for an information security management system (ISMS), a must read for any security engineer.

The National Institute of Standards and Technology (NIST)

NIST is a measurement standards laboratory, and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote innovation and industrial competitiveness.

Amongst several freely available special publications, including the SP 800 (Computer security), SP 1800 (Cybersecurity practice guides) and SP 500 (Information technology (relevant documents)) series, the NIST Cybersecurity Framework (NIST CSF) is a policy framework that provides guidance on how private-sector organizations in the United States can assess and improve their ability regarding computer security.

Another great publication is NIST’s special publication 800-30, a guide for conducting risk assessments that shares more than a few similarities with ISO/IEC 27005 — Information security risk management, but has the advantage of being completely free.

The British Standards Institution (BSI)

BSI is the United Kingdom’s national standardization body. BSI produces several technical standards on a wide range of products and services, and also supplies certification and standards-related services to businesses.

In 1995, the BSI was responsible for the publications of the British Standard 7799, which later became ISO/IEC 27001, the most internationally recognized and widely used information security management standard.

With a deep ISO/IEC 27001 knowledge, BSI not only helps improving it, but also provides services that train and certify countless organizations around the world to embed an effective ISO/IEC 27001 ISMS.

The Internet Engineering Task Force (IETF)

IETF is an open standards organization with no formal membership or membership requirements. The IETF creates and promotes voluntary Internet standards, in particular the standards for the Internet protocol suite (TCP/IP).

The IETF is organized in several working groups, focused into areas by subject matter. The current areas include applications, Internet, operations and management, real-time applications and infrastructure, routing, transport and, quite obviously, security.

The Payment Card Industry Security Standards Council (PCI SSC)

PCI SSC is a global, open body responsible for creating, improving, disseminating and helping with the understanding of the security standards for payment account security.

The Payment Card Industry Data Security Standard (PCI DSS) was devised as a means of increasing security controls over cardholder data and reducing the risk of credit card fraud. It requires an annual compliance validation, conducted either by an external qualified security assessor (QSA) or by a company-specific internal security assessor that creates a compliance report for organizations handling large amounts of transactions. For handling smaller volumes, it’s also possible to perform a self-assessment questionnaire (SAQ).

While understanding the PCI is only mandatory for companies that handle cardholder information, any security engineer can benefit from the standard’s knowledge, since it is free, and its control objectives include relevant information for the protection of any company.

The Payment Application Data Security Standard (PA-DSS) is another important PCI publication. This standard primary objective is to help prevent developed payment applications for third parties from storing prohibited secure data such as the magnetic stripe, CVV2 or PIN. Quite obviously, the PA-DSS is closely linked with the PCI-DSS, as it determines that payment applications must be compliant with the Payment Card Industry Data Security Standards.

Cláudio Dodt is an Information Security Evangelist, consultant, trainer, speaker and blogger. He has more than ten years worth of experience working with Information Security, IT Service Management, IT Corporate Governance and Risk Management.

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Website

Save my name, email, and website in this browser for the next time I comment.

5 + =

About InfoSec

At Infosec, we believe knowledge is the most powerful tool in the fight against cybercrime. We provide the best certification and skills development training for IT and security professionals, as well as employee security awareness training and phishing simulations. Learn more at infosecinstitute.com.

Connect with us

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

Why Take This Training?

How will you fund your training?

What is your training budget?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam